them out to hackers so they can upload malicious code into user files. What you end up with is a flood of complaints from users about errors on their site and being flagged by Google for malicious content. And as you know, when things like this happen the first person the customer tends to blame is the hosting provider.

While it’s really not something you as the hosting provider can control, there are measures you can take to secure your server against FTP hacks.

The Things You Probably Noticed

You probably started thinking about FTP security when you started getting complaints about hacked sites. After looking into it further, you notice that the hack on most all the sites are very similar, and that all the hack files were uploaded via FTP by someone that is not the actual user of the account. When this happens to a bunch of users on the same server, the first inclination is…Ok, wow, the server got hacked.

That’s what I initially thought, but it became very obvious that someone was out there, spreading passwords around like wildfire. I still don’t actually know where the password were obtained from, but the most common theory out there is that a security hole in Adobe software, named “The Gumblar Virus” used the plain-text storage mechanisms of common FTP clients (like Filezilla, CuteFTP, etc) to capture passwords and send them to hackers. These hackers then used scripts to automatically download files from a user’s account, modify them, and re-upload them.

To make matters worse, the hack eventually evolved to where other servers were hacking other servers using this attack method. One of our sysadmins once found a file uploaded to a compromised account that had a list of over 100 usernames, password, and server combinations, that was clearly used to automate attacks to other servers.

Enforcing Encrypted Logins

You can force your users to use encrypted connections in order to connect via FTP to the server. To do this, go to WHM > FTP Server Configuration and set the option for TLS Encryption Support to Required. The cipher suite should also be set to something like:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

Note that this is for FTP over TLS, which is the general preference since SFTP requires enabling port 22 and SSH access, which most hosting providers tends to swing against in a shared hosting environment. After enabling TLS, you can install a SSL certificate for FTP in WHM > Manage Service SSL Certificates, which is the hostname that your users should connect to over Passive/Explicity TLS in their FTP clients. By requiring SSL your customers are less likely to have their password sniffed out by network packet sniffers.

FTP Upload Scanning

One thing I noticed is that most hosting providers are reacting to the malicious file uploads by enabling upload scanning to catch certain strings within the files. In the situation with IMH (as released in our official statement about the FTP hack problem), if our scanner detects a user uploading malicious files, the scanner will block that person’s IP, change the password for the user, and automatically email the customer to let them know what’s up. While our solution is custom-written to allow for complete control and customization, there are other options out there for those of you that are less programming-savvy or just don’t have the time to deal with it:

You may want to consider running FTP on a different port which can create a deference for automated scripts. Instructions for doing this can be found here.

Enforcing Password Policies

Later versions of cPanel 11.25 allow you to enforce password policies for your customers, including password strength and timeouts, requiring users to select secure passwords and change them at intervals you specify. You can find this option in WHM > Security Center . The password life settings are not enabled until 11.25.1.

Brute-Force Detection

Keep in mind that the recent issues with FTP hacks in 2009 and 2010 were from Gumblar-related attacks, where the hacker obtained or sniffed out FTP passwords from a combination of exploitable software on the client’s PC. Therefore, brute-force protection isn’t going to help you here since the attacker already had the FTP login credentials before they even reached your server. However, in general it’s advisable to monitor any authenticated service for excessive login failures to prevent password guessing and accounts being compromised as a result. cPanel has built-in brute-force detection in a service called cpHulkd, which you can enable in WHM > Security Center. Or you can use BFD, which is an optional addon to APF.

Educating Your Customers

Most importantly, you need to be upfront with your customers about what’s going on. If you’re running a couple single small servers you can probably address this behind the scenes, but if you’re a larger hosting provider you might as well not even try to hide it. All this is going to do is prompt a lot of chatter that can damage your business’s reputation and generate more support contact from your customers.

Make sure your customers know what’s going on, and what you’re doing to help the situation. Even though most FTP hacks are probably not your fault, most of your customers probably don’t even care – all they want to know is what you are doing to protect their accounts. You also want to educate them on common security practices when it comes to managing their accounts. Here are some examples of hosting providers that promptly identified an issue with FTP security and notified their customers accordingly:

I just want to clarify that “TLS Encryption Support” will only appear in the FTP Server Configuration screen if you are using ProFTPD. If you are using PureFTPD, this option will not appear until you switch to ProFTPD using the FTP Server Selection screen in WHM.

Also, in a cPanel/WHM environment, granting SSH access is not required for SFTP. All cPanel users are granted SFTP access by default, but they can only perform actions that can be performed via SFTP. For additional shell access, either Jailed Shell or Normal Shell access will need to be assigned to that cPanel user.